From 0603620773a3b2f62fc82083d99af9e747889030 Mon Sep 17 00:00:00 2001 From: Neil Hanlon Date: Sat, 18 Jun 2022 15:03:53 -0400 Subject: [PATCH] Fixes for current RC images * Make jobs uploads unique and match security context of peridot * change image build, fix extraction of build artifacts --- iso/empanadas/Containerfile | 15 ++++----------- .../empanadas/scripts/launch_builds.py | 3 ++- iso/empanadas/empanadas/templates/kube/Job.tmpl | 17 +++++++++++------ 3 files changed, 17 insertions(+), 18 deletions(-) diff --git a/iso/empanadas/Containerfile b/iso/empanadas/Containerfile index 8bb82ae..ce0ee1d 100644 --- a/iso/empanadas/Containerfile +++ b/iso/empanadas/Containerfile @@ -1,17 +1,10 @@ -FROM golang:1.18 as skbn - -ADD images/get_arch /get_arch -RUN git clone https://github.com/rubroboletus/skbn.git /usr/src/app/skbn.git - -WORKDIR /usr/src/app/skbn.git -RUN CGO_ENABLED=0 GOOS=linux GOARCH=$(/get_arch) go build \ - -ldflags "-X main.GitTag=$(git describe --tags --always) -X main.GitCommit=$(git rev-parse --short HEAD)" \ - -o skbn cmd/skbn.go +FROM ghcr.io/neilhanlon/skbn:latest as skbn FROM quay.io/centos/centos:stream9 +ADD images/get_arch /get_arch + COPY --from=skbn /usr/src/app/skbn.git/skbn /usr/local/bin/skbn -COPY --from=skbn /get_arch /get_arch ENV TINI_VERSION v0.19.0 RUN curl -o /tini -L "https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-$(/get_arch)" @@ -69,7 +62,7 @@ RUN chown peridotbuilder:mock /etc/yum.conf && chown -R peridotbuilder:mock /etc RUN pip install 'git+https://git.rockylinux.org/release-engineering/public/toolkit.git@feature/iso-kube#egg=empanadas&subdirectory=iso/empanadas' -RUN echo "nameserver 1.1.1.1 > /etc/resolv.conf" +RUN echo "nameserver 1.1.1.1" > /etc/resolv.conf ENV USER=1002 USER 1002 diff --git a/iso/empanadas/empanadas/scripts/launch_builds.py b/iso/empanadas/empanadas/scripts/launch_builds.py index cccdee0..903a743 100755 --- a/iso/empanadas/empanadas/scripts/launch_builds.py +++ b/iso/empanadas/empanadas/scripts/launch_builds.py @@ -35,10 +35,11 @@ def run(): architecture=arch, backoffLimit=4, command=["build-iso", "--release", "9", "--rc", "--isolation", "simple"], - containerName="buildiso", + containerName=f"buildiso-{major}-{arch}", imageName="ghcr.io/neilhanlon/sig-core-toolkit:latest", jobName=f"build-iso-{arch}", namespace="empanadas", + major=major, restartPolicy="Never", ) diff --git a/iso/empanadas/empanadas/templates/kube/Job.tmpl b/iso/empanadas/empanadas/templates/kube/Job.tmpl index 1685421..c3b0a92 100644 --- a/iso/empanadas/empanadas/templates/kube/Job.tmpl +++ b/iso/empanadas/empanadas/templates/kube/Job.tmpl @@ -11,9 +11,6 @@ spec: - name: {{ containerName }} image: {{ imageName }} command: {{ command }} - securityContext: - runAsUser: 1002 - privileged: true lifecycle: preStop: exec: @@ -21,10 +18,18 @@ spec: "skbn", "cp", "--src", - "/mnt/compose/9/latest-Rocky-9/", + "/var/lib/mock/rocky-{{ major }}-{{ architecture }}/root/builddir/lorax-*`", "--dst", - "s3://resf-empanadas/{{ containerName }}/" + "s3://resf-empanadas/{{ containerName }}/$(date +%s)/", + "--parallel", + "2" ] + securityContext: + runAsUser: 0 + runAsGroup: 0 + privileged: true + runAsNonRoot: false + allowPrivilegeEscalation: true env: - name: AWS_REGION value: us-east-2 @@ -38,11 +43,11 @@ spec: secretKeyRef: name: empanadas-s3 key: SECRET - restartPolicy: {{ restartPolicy }} tolerations: - effect: NoSchedule key: peridot.rockylinux.org/workflow-tolerates-arch operator: Equal value: {{ architecture }} + restartPolicy: {{ restartPolicy }} backoffLimit: {{ backoffLimit }}